Déjà vu all over again

Since the turn of the century the malware landscape has been changing steadily. Previously, most attention and effort was focused on the problems created by malicious self-replicating code. Even though trojans had existed and caused problems for some time, viruses and worms were considered the only threats worthy of attention. However, the situation has since changed.

Initially, there was debate in the research community as to whether or not early trojans (e.g. simple keyloggers, autodialers, etc.) constituted enough of a threat to warrant detection and cleaning. But as vendors started adding trojans to their definition sets, another problem arose. Certain companies were producing software, allegedly within legal bounds and/or with user consent, but which could otherwise be considered malware. The combination of the AV industry’s reluctance to detect trojans and the legal wrangling left a gap that was later filled by the anti-spyware industry.

But the separation in focus didn’t last long. Anti-virus (AV) vendors created their own anti-spyware products through acquisition, in-house development, or both, and anti-spyware vendors began adding anti-virus capability through partnerships or in-house development. The two sides of the industry have come closer together and will likely soon become indistinguishable.

The rise of the anti-spyware industry was not limited simply to technological or product development. Difficult policy and law enforcement issues also needed to be resolved. While viruses and worms can be said always to be unwanted, spyware is not as easily classified.

At the forefront of addressing these issues is the Anti-Spyware Coalition (ASC). Among the myriad issues with which the ASC is concerned are issues of which the AV industry and research community already has a vast amount of knowledge and experience: sample sharing and safe handling, participant vetting, and control of information dissemination.

The transition of the AV community from focusing on self-replicating malware to the inclusion of non-replicable malware is still under way, and already yet another threat has become a significant problem: phishing. The Anti-Phishing Working Group (APWG) brings together policy makers, law enforcement bodies, customers and vendors to decide the issues related to phishing. Like the anti-spyware community, anti-phishing efforts are faced with issues that are well known to the AV industry: sample sharing and safe handling, participant vetting, and control of information dissemination.

It is apparent that this represents a massive duplication of effort. Organizations at the forefront of the latest software security issues are spending time and effort developing policies and procedures that the AV vendor and research community already has in place. Even though the AV industry is well represented in the ASC and the APWG, the technical and procedural efforts should be more visibly led by the AV research community.

For nearly two decades, the AV research community has developed proven procedures for every aspect of malware research. The newer threats of spyware and phishing will require new policies, best practices, and new laws as to the investigation and prosecution of offenders. However, the concerns regarding the sharing of samples with trusted community members, the safe handling of those samples, vetting and acceptance of new members in the research community, and the dissemination of sensitive information, remain the same.

New organizations such as the ASC and APWG are being created to address the greater issues of how to deal with new threats. While the malware research community may not be expert in the creation of policy or law enforcement, we are the authority with regard to assisting newcomers in the adoption of safe practices. As such, it is incumbent on the malware research community to take the lead and establish a means by which newcomers can benefit from our knowledge and experience.

Latest articles:

Bulletin Archive